US9438626B1 - Risk scoring for internet protocol networks - Google Patents

Risk scoring for internet protocol networks Download PDF

Info

Publication number
US9438626B1
US9438626B1 US13/920,500 US201313920500A US9438626B1 US 9438626 B1 US9438626 B1 US 9438626B1 US 201313920500 A US201313920500 A US 201313920500A US 9438626 B1 US9438626 B1 US 9438626B1
Authority
US
United States
Prior art keywords
network
risk
related information
belonging
network element
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US13/920,500
Inventor
Ido Zilberberg
Lior Asher
Alex Zaslavsky
Marcelo Blatt
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
EMC Corp
Original Assignee
EMC Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by EMC Corp filed Critical EMC Corp
Priority to US13/920,500 priority Critical patent/US9438626B1/en
Assigned to EMC CORPORATION reassignment EMC CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: ASHER, Lior, BLATT, MARCELO, ZASLAVSKY, ALEX, ZILBERBERG, IDO
Application granted granted Critical
Publication of US9438626B1 publication Critical patent/US9438626B1/en
Assigned to THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A. reassignment THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A. SECURITY AGREEMENT Assignors: CREDANT TECHNOLOGIES, INC., DELL INTERNATIONAL L.L.C., DELL MARKETING L.P., DELL PRODUCTS L.P., DELL USA L.P., EMC CORPORATION, EMC IP Holding Company LLC, FORCE10 NETWORKS, INC., WYSE TECHNOLOGY L.L.C.
Assigned to THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A. reassignment THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A. SECURITY AGREEMENT Assignors: CREDANT TECHNOLOGIES INC., DELL INTERNATIONAL L.L.C., DELL MARKETING L.P., DELL PRODUCTS L.P., DELL USA L.P., EMC CORPORATION, EMC IP Holding Company LLC, FORCE10 NETWORKS, INC., WYSE TECHNOLOGY L.L.C.
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2463/00Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
    • H04L2463/144Detection or countermeasures against botnets
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • the field relates generally to information technology, and more particularly to fraud detection.
  • EFNs Electronic fraud networks
  • EFNs include collaborative cross-institution online networks dedicated to sharing and disseminating information on fraudulent activity to help facilitate and maintain security for its customers.
  • EFN customers commonly share information on fraudulent activities, whereby data elements that are found to participate in potentially fraudulent transactions (as well as data elements found to participate in genuine non-fraudulent activities) are passed to a central engine for processing.
  • data elements that are found to participate in potentially fraudulent transactions are passed to a central engine for processing.
  • risk score Routinely, in existing EFN-based fraud detection approaches, such identified data elements are also assigned a risk score.
  • a risk score determines the likelihood that a given data element (for example, an internet protocol (IP) address) will be a source of additional fraud in the future.
  • IP internet protocol
  • a risk score is calculated, for example, for an IP address based solely on the history of fraudulent and/or genuine transactions associated with that particular IP address. Consequently, it is possible for a fraudster to commit fraud from a first IP address, subsequently receive a second IP address on the same network, and continue to carry out fraudulent activity without being associated with the risk score ultimately attributed to the first IP address.
  • One or more illustrative embodiments of the present invention provide risk scoring for internet protocol networks.
  • a method comprising the steps of: identifying a network to which a first network element belongs, wherein said first network element comprises corresponding risk-related information, determining each of one or more network elements previously identified as belonging to the network, and calculating a risk score assigned to the network, wherein said calculating comprises aggregating (i) the risk-related information corresponding to the first network element and (ii) risk-related information corresponding to each of the one or more network elements previously identified as belonging to the network.
  • a method comprising the steps of: obtaining an item of input data from an entity, wherein said item of input data comprises identification of a first network element and corresponding risk-related information, identifying a network to which the first network element belongs, and determining each of one or more network elements previously identified as belonging to the network.
  • This aspect of the invention additionally comprises the steps of calculating a risk score assigned to the network based on (i) the risk-related information corresponding to the first network element, (ii) risk-related information corresponding to each of one or more network elements previously identified as belonging to the network, and (iii) one or more items of information pertaining to a level of trust associated with the entity, and applying the risk score assigned to the network to the first network element and to each of the one or more network elements previously identified as belonging to the network.
  • the fraud detection techniques of the illustrative embodiments overcome one or more of the problems associated with the conventional techniques described previously, and provide increased accuracy for risk assessment.
  • FIG. 1 is a diagram illustrating an example network environment in which one or more embodiments of the present invention can operate;
  • FIG. 2 is a block diagram illustrating example system components, according to an embodiment of the invention.
  • FIG. 3 is a flow diagram illustrating techniques according to an embodiment of the invention.
  • FIG. 4 is a flow diagram illustrating techniques according to an embodiment of the invention.
  • FIG. 5 shows an exemplary embodiment of a communication system that may incorporate the functionality of the type illustrated in at least one embodiment of the invention.
  • FIG. 6 is a system diagram of an exemplary computer system on which at least one embodiment of the invention can be implemented.
  • the present invention provides techniques for assigning risk scoring for internet protocol (IP) networks.
  • IP internet protocol
  • At least one embodiment of the invention includes calculating a risk score for a given network based on aggregated fraud-related data that originated from various IP addresses with that network, as said items of data are fed into an EFN over time.
  • calculating a risk score for a network enables an EFN to increase the risk score associated with potentially risky or fraudulent IP addresses that may have otherwise been deemed low-risk (potentially permitting fraudulent activity to be carried out by such an IP address).
  • customers utilizing an EFN can include, for example, financial institutions as well as other companies and businesses, and such customers have end users (for example, individuals) using the customer's system.
  • At least one embodiment of the invention includes calculating a risk score for a sub-network, also referred to herein as a subnet, associated with multiple IP addresses.
  • a subnet refers to a sub-division of an IP network. Additionally, by way of further illustration, all computers that belong to a given subnet can include an identical bit-group in their IP address.
  • a communication system or computing device as used herein, is intended to be broadly construed so as to encompass any type of system in which multiple processing devices can communicate with one or more other devices.
  • FIG. 1 illustrates an example client-side computing device (CSCD) 110 communicating with an electronic fraud network (EFN) system 170 over a network 160 .
  • the network 160 can include, for example, a global computer network such as the Internet, a wide area network (WAN), a local area network (LAN), a satellite network, a telephone or cable network, or various portions or combinations of these and other types of networks.
  • the CSCD 110 is a customer server which updates the EFN system 170 (or, for example, an EFN agent) with data.
  • the CSCD 110 may represent a portable device, such as a mobile telephone, personal digital assistant (PDA), wireless email device, game console, etc.
  • the CSCD 110 may alternatively represent a desktop or laptop personal computer (PC), a microcomputer, a workstation, a mainframe computer, or any other information processing device which can benefit from the use of fraud detection techniques in accordance with the invention.
  • PC personal computer
  • a microcomputer a workstation
  • mainframe computer or any other information processing device which can benefit from the use of fraud detection techniques in accordance with the invention.
  • a given embodiment of the disclosed system may include multiple instances of CSCD 110 and possibly other system components, although only a single instance is shown in the simplified system diagram of FIG. 1 for clarity of illustration.
  • the CSCD 110 may also be referred to herein as simply a “customer.”
  • the term “customer,” as used in this context, should be understood to encompass, by way of example and without limitation, a customer device, a person utilizing or otherwise associated with the device, or a combination of both.
  • An operation described herein as being performed by a customer may therefore, for example, be performed by a customer device, a person utilizing or otherwise associated with the device, or by a combination of both the person and the device.
  • information described as being associated with a customer may, for example, be associated with a CSCD device 110 , a person utilizing or otherwise associated with the device, or a combination of both the person and the device.
  • EFN system (such as system 170 in FIG. 1 ) is described in additional detail below in connection with FIG. 2 .
  • FIG. 2 is a block diagram illustrating example system components, according to an embodiment of the invention.
  • EFN system 170 receives input data provided by a customer and outputs a risk score assigned to a subnet.
  • input data provided by a customer can include, for example, the identification of data elements (for example, in list form) that are found to participate in activities deemed potentially fraudulent by the customer, as well as the identification of data elements that are found to participate in activities deemed non-fraudulent by the customer.
  • the risk score output by EFN system 170 is generated based on the input data as well as stored previous data pertaining to related networks and/or IP addresses.
  • EFN system 170 includes a data element module 210 and a risk score calculator module 220 .
  • the data element module 210 can include multiple databases, such as IP address database 212 , containing data elements and related information pertaining to a specific IP address.
  • IP address database 212 can include historical data, that is, data elements previously provided by and/or shared by a customer pertaining to that IP address.
  • the data element module 210 can process incoming input data and store such data in an appropriate IP address database.
  • Data provided to IP address databases can include various customer submissions pertaining to a given IP address indicating that the IP address was deemed likely fraudulent or not likely fraudulent with respect to a particular transaction. Aggregation of such data over a time window (for example, the last 30 days) can yield risk scores for the subnets containing all of the origin IP addresses of said transactions.
  • the data element module 210 can include multiple databases, such as customer database 214 , containing data elements and related information pertaining to a specific customer within the EFN.
  • customer database 214 can store historical data elements and information previously provided by and/or shared by that corresponding customer over the course of past EFN activities.
  • the data analysis module can process incoming input data and store such data in an appropriate customer database. Further, one or more embodiments of the invention can be implemented without incorporation of information from a customer database such as database 214 .
  • the data element module 210 can also include multiple databases, such as subnet database 216 , containing historical data and/or information pertaining to a given network or subnet.
  • a database can include information including an identification of IP addresses within the given network or subnet, any individual risk scores associated with those individual IP addresses, as well as previous risk score calculations associated with the given network or subnet.
  • the EFN system 170 includes a risk score calculator module 220 .
  • the risk score calculator module 220 utilizes information contained within the data element module to generate a risk score associated with a given network or subnet.
  • the risk score calculator module 220 can obtain information pertaining to a given IP address via IP address database 212 (or receive information pertaining to a given IP address from the data element module 210 upon receipt of such data from a customer).
  • the risk score calculator module 220 can identify the subnet corresponding to this IP address, for example, by performing a search for said IP address in subnet database 216 , or by having the customer or an EFN agent provide subnet data along with the IP address of the transaction.
  • the risk score calculator module 220 determines which additional IP addresses already stored in the EFN database (for example, subnet database 216 ) are additionally contained within and/or associated with this identified subnet. This can be accomplished, for example, by analyzing the information stored within subnet database 216 corresponding to this subnet. Additionally, the risk score calculator module 220 can also access the subnet database (database 216 being merely one example) corresponding to the identified subnet in question to obtain relevant information such as previous risk scores, etc.
  • At least one embodiment of the invention includes using such previous risk score(s) as a starting point for a subsequent risk score calculation for the corresponding subnet, and updating the previous risk score(s) based on new and/or modified information pertaining to one or more of the IP addresses belonging to the subnet.
  • the risk score calculator module 220 Upon determining the collection of IP addresses associated with this identified subnet, the risk score calculator module 220 subsequently calculates a risk score for the subnet based on the aggregated input of all previously identified IP addresses belonging to this subnet (that is, all IP addresses stored in the EFN databases that belong to this subnet). To carry out this calculation, the risk score calculator module 220 can leverage information stored within the databases contained within the data element module 210 . For example, for each of the identified IP addresses belonging to this subnet, the risk score calculator can access the IP address database corresponding thereto (database 212 being merely one example) to obtain information pertaining to the risk level associated with each such IP address. Consequently, information pertaining to the risk level of each such IP address is aggregated by the risk score calculator module 220 to generate a risk score associated with the subnet.
  • At least one embodiment of the invention can include the following. For each IP address, EFN system 170 calculates a risk score based on the number of “fraud” and “genuine” indicators from all customers, for a given time window (for instance, the last 30 days). The EFN system can then, in one example, take the average of such risk scores over all identified IP addresses belonging to a specific subnet and assign this average to the subnet. Any additional IP addresses within this subnet that the EFN system encounters, even if marked as low risk, will be considered in light of being part of this subnet, and can be assigned that subnet's risk score.
  • the EFN system may update the relevant subnet's risk score, but the IP itself will be retained with said “Fraud Confirmed” indication.
  • at least one embodiment of the invention will not include lowering risk scores for IP addresses; rather, risk scores for individual IP addresses will only be raised if deemed necessary by the risk score of the corresponding subnet.
  • At least one embodiment of the invention can include considering an originating customer's trust or confidence level when taking into account a given IP address risk score.
  • the risk score calculator module 220 can also access one or more customer databases (database 214 being merely one example) to incorporate information pertaining to one or more customers that provided data in connection with one or more of the IP addresses belonging to the subnet in question.
  • a given customer database can include customer-specific trust information based on previous assessments and/or feedback pertaining to the accuracy and/or quality of the input data provided by the given customer.
  • a risk score calculation for a given subnet can include an aspect of weighting input data (and related IP address-specific data) based on the particular customer that provided said input data, and the level of trust associated with that customer.
  • the input data being provided by a customer having a higher trust measure will be correspondingly weighted so as to have a larger effect on any subsequent risk score calculation than the input data provided by a customer having a lower trust measure.
  • EFN system 170 will receive input data from the relevant customer identifying the first IP address as having participated in fraudulent activity. Such information will be processed and stored by data element module 210 .
  • the risk score calculator module 220 can also receive this input data pertaining to the first IP address, at which point the risk score calculator module 220 can access the relevant IP address database in data element module 210 to determine additional information pertaining to this first IP address, as well as access and search subnet databases to extract a subnet to which this first IP address belongs.
  • the risk calculator module 220 can identify all additional IP addresses belonging to that subnet which are part of IP address database 212 , and aggregate risk-related information corresponding to these additional IP addresses (obtained via the relevant IP address databases) to generate a risk score for the entire subnet. Also, in one or more embodiments of the invention, the risk score calculator module 220 can additionally incorporate trust-related information and/or measures associated with any relevant customers that had provided data to be used in the generation of this subnet risk score.
  • the EFN system generates a risk score corresponding to the subnet to which the first IP address belongs, thereby encompassing the fraudulent activity enacted by the fraudster before the fraudster transitioned to a different IP address. Accordingly, subsequent transactions originating from other IP addresses belonging to that subnet (such as the second IP address, in the above example), and for which no fraud was previously marked by customers, would receive a higher risk score as a result of the fraudster's previous fraudulent activity carried out via the first IP address.
  • at least one embodiment of the invention includes providing customers with subnet risk score data in addition to specific IP address risk score data. Customers may utilize this information, for example, to add new rules to their systems, to block transactions from IP addresses belonging to said subnets, etc.
  • One or more embodiments of the invention can additionally be implemented in the context of a network infected by malware, wherein each device within the network might be compromised. Evaluating the subnet in such a scenario can lead to more accurate risk scoring.
  • FIG. 3 is a flow diagram illustrating techniques according to an embodiment of the present invention.
  • Step 302 includes identifying a network to which a first network element belongs, wherein said first network element comprises corresponding risk-related information.
  • the first network element can be identified as having participated in fraudulent activity or non-fraudulent activity by an entity reporting said first network element address to a fraud detection system.
  • the identifying step can include searching one or more network databases to identify an entry corresponding to the first network element, and/or receiving directly from a customer, as part of data input to identify, an entry corresponding to the first network element.
  • Step 304 includes determining each of one or more network elements previously identified as belonging to the network.
  • the first network element and each additional network element can be an internet protocol address.
  • the determining step can include analyzing information pertaining to the network to identify each previously identified network element belonging thereto.
  • Step 306 includes calculating a risk score assigned to the network, wherein said calculating comprises aggregating (i) the risk-related information corresponding to the first network element and (ii) risk-related information corresponding to each of the one or more network elements previously identified as belonging to the network.
  • the risk-related information corresponding to each network element can be a risk score assigned to the network element.
  • the techniques depicted in FIG. 3 can also include applying the risk score assigned to the network to the first network element and to each of the one or more network elements previously identified as belonging to the network. Additionally, at least one embodiment of the invention includes iteratively updating the risk score assigned to the network upon receipt of each additional item of risk-related information pertaining to a network element belonging to the network.
  • FIG. 4 is a flow diagram illustrating techniques according to an embodiment of the present invention.
  • Step 402 includes obtaining an item of input data from an entity, wherein said item of input data comprises identification of a first network element and corresponding risk-related information.
  • Step 404 includes identifying a network to which the first network element belongs.
  • Step 406 includes determining each of one or more network elements previously identified as belonging to the network (for example, IP addresses already present in the IP address database).
  • the first network element and each additional network elements can be an internet protocol address.
  • Step 408 includes calculating a risk score assigned to the network based on (i) the risk-related information corresponding to the first network element, (ii) risk-related information corresponding to each of one or more network elements previously identified as belonging to the network, and (iii) one or more items of information pertaining to a level of trust associated with the entity.
  • Calculating the risk score based on items of information pertaining to a level of trust associated with the entity can include applying a weight to each item of risk-related information based on a level of trust associated with each entity responsible for providing the item of risk-related information.
  • the risk-related information corresponding to each network element can be a risk score assigned to the network element.
  • Step 410 includes applying the risk score assigned to the network to the first network element and to each of the one or more network elements previously identified as belonging to the network. Additionally, the techniques depicted in FIG. 4 can also include iteratively updating the risk score assigned to the network upon receipt of each additional item of risk-related information pertaining to a network element belonging to the network.
  • FIG. 5 depicts a communication system 500 comprising a plurality of mobile telephones 502 - 1 and 502 - 2 and computers 504 - 1 , 504 - 2 and 504 - 3 , configured to communicate with one another over a network 506 .
  • any two or more of the devices 502 and 504 may correspond to cryptographic devices configured to implement at least one embodiment of the invention, as previously described. It is to be appreciated that the techniques disclosed herein can be implemented in numerous other applications.
  • such computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks. Accordingly, as further detailed below, at least one embodiment of the invention includes an article of manufacture tangibly embodying computer readable instructions which, when implemented, cause a computer to carry out techniques described herein.
  • the computer program instructions may also be loaded onto a computer or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
  • each block in the flowchart or block diagrams may represent a module, component, segment, or portion of code, which comprises at least one executable instruction for implementing the specified logical function(s). It should be noted that the functions noted in the block may occur out of the order noted in the figures.
  • the techniques described herein can include providing a system, wherein the system includes distinct software modules, each being embodied on a tangible computer-readable recordable storage medium (for example, all modules embodied on the same medium, or each modules embodied on a different medium).
  • the modules can run, for example, on a hardware processor, and the techniques detailed herein can be carried out using the distinct software modules of the system executing on a hardware processor.
  • the techniques detailed herein can also be implemented via a computer program product that includes computer useable program code stored in a computer readable storage medium in a data processing system, wherein the computer useable program code was downloaded over a network from a remote data processing system.
  • the computer program product can also include, for example, computer useable program code that is stored in a computer readable storage medium in a server data processing system, wherein the computer useable program code is downloaded over a network to a remote data processing system for use in a computer readable storage medium with the remote system.
  • aspects of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “module” or “system.”
  • An aspect of the invention or elements thereof can be implemented in the form of an apparatus including a memory and at least one processor that is coupled to the memory and operative to perform the techniques detailed herein. Also, as described herein, aspects of the present invention may take the form of a computer program product embodied in a computer readable medium having computer readable program code embodied thereon.
  • FIG. 6 is a system diagram of an exemplary computer system on which at least one embodiment of the invention can be implemented.
  • an example implementation employs, for example, a processor 602 , a memory 604 , and an input/output interface formed, for example, by a display 606 and a keyboard 608 .
  • the term “processor” as used herein includes any processing device(s), such as, for example, one that includes a central processing unit (CPU) and/or other forms of processing circuitry.
  • CPU central processing unit
  • memory includes memory associated with a processor or CPU, such as, for example, random access memory (RAM), read only memory (ROM), a fixed memory device (for example, a hard drive), a removable memory device (for example, a diskette), a flash memory, etc.
  • RAM random access memory
  • ROM read only memory
  • fixed memory device for example, a hard drive
  • removable memory device for example, a diskette
  • flash memory etc.
  • input/output interface includes a mechanism for inputting data to the processing unit (for example, a mouse) and a mechanism for providing results associated with the processing unit (for example, a printer).
  • the processor 602 , memory 604 , and input/output interface such as display 606 and keyboard 608 can be interconnected, for example, via bus 610 as part of a data processing unit 612 . Suitable interconnections via bus 610 , can also be provided to a network interface 614 (such as a network card), which can be provided to interface with a computer network, and to a media interface 616 (such as a diskette or compact disc read-only memory (CD-ROM) drive), which can be provided to interface with media 618 .
  • a network interface 614 such as a network card
  • media interface 616 such as a diskette or compact disc read-only memory (CD-ROM) drive
  • computer software including instructions or code for carrying out the techniques detailed herein can be stored in associated memory devices (for example, ROM, fixed or removable memory) and, when ready to be utilized, loaded in part or in whole (for example, into RAM) and implemented by a CPU.
  • Such software can include firmware, resident software, microcode, etc.
  • a data processing system suitable for storing and/or executing program code includes at least one processor 602 coupled directly or indirectly to memory elements 604 through a system bus 610 .
  • the memory elements can include local memory employed during actual implementation of the program code, bulk storage, and cache memories which provide temporary storage of at least some program code in order to reduce the number of times code must be retrieved from bulk storage during implementation.
  • I/O input/output
  • keyboards 608 , displays 606 , and pointing devices can be coupled to the system either directly (such as via bus 610 ) or through intervening I/O controllers.
  • Network adapters such as network interface 614 (for example, a modem, a cable modem or an Ethernet card) can also be coupled to the system to enable the data processing system to become coupled to other data processing systems or remote printers or storage devices through intervening private or public networks.
  • network interface 614 for example, a modem, a cable modem or an Ethernet card
  • a “server” includes a physical data processing system (such as system 612 as depicted in FIG. 6 ) running a server program. It will be understood that such a physical server may or may not include a display and keyboard.
  • At least one embodiment of the invention can take the form of a computer program product embodied in a computer readable medium having computer readable program code embodied thereon.
  • the computer readable medium can include a computer readable signal medium or a computer readable storage medium.
  • a computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing.
  • Examples include an electrical connection having one or more wires, a portable computer diskette, a hard disk, RAM, ROM, an erasable programmable read-only memory (EPROM), flash memory, an optical fiber, a portable CD-ROM, an optical storage device, a magnetic storage device, and/or any suitable combination of the foregoing.
  • a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
  • a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms such as, for example, electro-magnetic, optical, or a suitable combination thereof. More generally, a computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
  • Program code embodied on a computer readable medium can be transmitted using an appropriate medium such as, for example, wireless, wireline, optical fiber cable, radio frequency (RF), and/or a suitable combination of the foregoing.
  • Computer program code for carrying out operations in accordance with one or more embodiments of the invention can be written in any combination of at least one programming language, including an object oriented programming language, and conventional procedural programming languages.
  • the program code may execute entirely on a user's computer, partly on a user's computer, as a stand-alone software package, partly on a users computer and partly on a remote computer, or entirely on the remote computer or server.
  • the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
  • LAN local area network
  • WAN wide area network
  • Internet Service Provider an Internet Service Provider

Abstract

Methods, apparatus and articles of manufacture for risk scoring for internet protocol networks are provided herein. A method includes identifying a network to which a first network element belongs, wherein said first network element comprises corresponding risk-related information, determining each of one or more network elements previously identified as belonging to the network, and calculating a risk score assigned to the network, wherein said calculating comprises aggregating (i) the risk-related information corresponding to the first network element and (ii) risk-related information corresponding to each of the one or more network elements previously identified as belonging to the network.

Description

FIELD
The field relates generally to information technology, and more particularly to fraud detection.
BACKGROUND
Electronic fraud networks (EFNs) include collaborative cross-institution online networks dedicated to sharing and disseminating information on fraudulent activity to help facilitate and maintain security for its customers. EFN customers commonly share information on fraudulent activities, whereby data elements that are found to participate in potentially fraudulent transactions (as well as data elements found to participate in genuine non-fraudulent activities) are passed to a central engine for processing. Routinely, in existing EFN-based fraud detection approaches, such identified data elements are also assigned a risk score.
A risk score determines the likelihood that a given data element (for example, an internet protocol (IP) address) will be a source of additional fraud in the future. In existing EFN systems and approaches, a risk score is calculated, for example, for an IP address based solely on the history of fraudulent and/or genuine transactions associated with that particular IP address. Consequently, it is possible for a fraudster to commit fraud from a first IP address, subsequently receive a second IP address on the same network, and continue to carry out fraudulent activity without being associated with the risk score ultimately attributed to the first IP address.
Accordingly, a need exists for identifying and encompassing a broader range of data elements for the purpose of assigning risk scores.
SUMMARY
One or more illustrative embodiments of the present invention provide risk scoring for internet protocol networks.
In accordance with an aspect of the invention, a method is provided comprising the steps of: identifying a network to which a first network element belongs, wherein said first network element comprises corresponding risk-related information, determining each of one or more network elements previously identified as belonging to the network, and calculating a risk score assigned to the network, wherein said calculating comprises aggregating (i) the risk-related information corresponding to the first network element and (ii) risk-related information corresponding to each of the one or more network elements previously identified as belonging to the network.
In accordance with another aspect of the invention, a method is provided comprising the steps of: obtaining an item of input data from an entity, wherein said item of input data comprises identification of a first network element and corresponding risk-related information, identifying a network to which the first network element belongs, and determining each of one or more network elements previously identified as belonging to the network. This aspect of the invention additionally comprises the steps of calculating a risk score assigned to the network based on (i) the risk-related information corresponding to the first network element, (ii) risk-related information corresponding to each of one or more network elements previously identified as belonging to the network, and (iii) one or more items of information pertaining to a level of trust associated with the entity, and applying the risk score assigned to the network to the first network element and to each of the one or more network elements previously identified as belonging to the network.
The fraud detection techniques of the illustrative embodiments overcome one or more of the problems associated with the conventional techniques described previously, and provide increased accuracy for risk assessment. These and other features and advantages of the present invention will become more readily apparent from the accompanying drawings and the following detailed description.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a diagram illustrating an example network environment in which one or more embodiments of the present invention can operate;
FIG. 2 is a block diagram illustrating example system components, according to an embodiment of the invention;
FIG. 3 is a flow diagram illustrating techniques according to an embodiment of the invention;
FIG. 4 is a flow diagram illustrating techniques according to an embodiment of the invention;
FIG. 5 shows an exemplary embodiment of a communication system that may incorporate the functionality of the type illustrated in at least one embodiment of the invention; and
FIG. 6 is a system diagram of an exemplary computer system on which at least one embodiment of the invention can be implemented.
 DETAILED DESCRIPTION
As will be described, the present invention, in one or more illustrative embodiments, provides techniques for assigning risk scoring for internet protocol (IP) networks. At least one embodiment of the invention includes calculating a risk score for a given network based on aggregated fraud-related data that originated from various IP addresses with that network, as said items of data are fed into an EFN over time. Accordingly, calculating a risk score for a network (as opposed to merely calculating risk scores for individual IP addresses therein) enables an EFN to increase the risk score associated with potentially risky or fraudulent IP addresses that may have otherwise been deemed low-risk (potentially permitting fraudulent activity to be carried out by such an IP address). By way of example, customers utilizing an EFN can include, for example, financial institutions as well as other companies and businesses, and such customers have end users (for example, individuals) using the customer's system.
Additionally, at least one embodiment of the invention includes calculating a risk score for a sub-network, also referred to herein as a subnet, associated with multiple IP addresses. As used herein, a subnet refers to a sub-division of an IP network. Additionally, by way of further illustration, all computers that belong to a given subnet can include an identical bit-group in their IP address.
Illustrative embodiments of the present invention will be described herein with reference to exemplary communication systems and associated processing devices. It is to be appreciated, however, that the invention is not restricted to use with the particular illustrative system and device configurations shown. Accordingly, a communication system or computing device, as used herein, is intended to be broadly construed so as to encompass any type of system in which multiple processing devices can communicate with one or more other devices.
FIG. 1 illustrates an example client-side computing device (CSCD) 110 communicating with an electronic fraud network (EFN) system 170 over a network 160. The network 160 can include, for example, a global computer network such as the Internet, a wide area network (WAN), a local area network (LAN), a satellite network, a telephone or cable network, or various portions or combinations of these and other types of networks.
In at least one embodiment of the invention, the CSCD 110 is a customer server which updates the EFN system 170 (or, for example, an EFN agent) with data. Such an embodiment can be implemented within the context of a business-to-business (B2B) application. Accordingly, the CSCD 110 may represent a portable device, such as a mobile telephone, personal digital assistant (PDA), wireless email device, game console, etc. The CSCD 110 may alternatively represent a desktop or laptop personal computer (PC), a microcomputer, a workstation, a mainframe computer, or any other information processing device which can benefit from the use of fraud detection techniques in accordance with the invention. It is to be appreciated that a given embodiment of the disclosed system may include multiple instances of CSCD 110 and possibly other system components, although only a single instance is shown in the simplified system diagram of FIG. 1 for clarity of illustration.
The CSCD 110 may also be referred to herein as simply a “customer.” The term “customer,” as used in this context, should be understood to encompass, by way of example and without limitation, a customer device, a person utilizing or otherwise associated with the device, or a combination of both. An operation described herein as being performed by a customer may therefore, for example, be performed by a customer device, a person utilizing or otherwise associated with the device, or by a combination of both the person and the device. Similarly, information described as being associated with a customer may, for example, be associated with a CSCD device 110, a person utilizing or otherwise associated with the device, or a combination of both the person and the device.
An exemplary EFN system (such as system 170 in FIG. 1) is described in additional detail below in connection with FIG. 2.
FIG. 2 is a block diagram illustrating example system components, according to an embodiment of the invention. By way of illustration, FIG. 2 depicts EFN system 170, as noted above, which receives input data provided by a customer and outputs a risk score assigned to a subnet. As noted herein, input data provided by a customer can include, for example, the identification of data elements (for example, in list form) that are found to participate in activities deemed potentially fraudulent by the customer, as well as the identification of data elements that are found to participate in activities deemed non-fraudulent by the customer. Additionally, as described herein, the risk score output by EFN system 170 is generated based on the input data as well as stored previous data pertaining to related networks and/or IP addresses.
As depicted in FIG. 2, EFN system 170 includes a data element module 210 and a risk score calculator module 220. As described further herein, the data element module 210 can include multiple databases, such as IP address database 212, containing data elements and related information pertaining to a specific IP address. By way of example, IP address database 212 can include historical data, that is, data elements previously provided by and/or shared by a customer pertaining to that IP address. Additionally, the data element module 210 can process incoming input data and store such data in an appropriate IP address database. Data provided to IP address databases can include various customer submissions pertaining to a given IP address indicating that the IP address was deemed likely fraudulent or not likely fraudulent with respect to a particular transaction. Aggregation of such data over a time window (for example, the last 30 days) can yield risk scores for the subnets containing all of the origin IP addresses of said transactions.
Additionally, the data element module 210 can include multiple databases, such as customer database 214, containing data elements and related information pertaining to a specific customer within the EFN. Similarly, customer database 214 can store historical data elements and information previously provided by and/or shared by that corresponding customer over the course of past EFN activities. Additionally, as with input IP address data, the data analysis module can process incoming input data and store such data in an appropriate customer database. Further, one or more embodiments of the invention can be implemented without incorporation of information from a customer database such as database 214.
The data element module 210 can also include multiple databases, such as subnet database 216, containing historical data and/or information pertaining to a given network or subnet. Such a database can include information including an identification of IP addresses within the given network or subnet, any individual risk scores associated with those individual IP addresses, as well as previous risk score calculations associated with the given network or subnet.
Further, as noted above, the EFN system 170 includes a risk score calculator module 220. The risk score calculator module 220 utilizes information contained within the data element module to generate a risk score associated with a given network or subnet. For example, the risk score calculator module 220 can obtain information pertaining to a given IP address via IP address database 212 (or receive information pertaining to a given IP address from the data element module 210 upon receipt of such data from a customer). Accordingly, the risk score calculator module 220 can identify the subnet corresponding to this IP address, for example, by performing a search for said IP address in subnet database 216, or by having the customer or an EFN agent provide subnet data along with the IP address of the transaction. Once a correct subnet (that is, a subnet containing the given IP address) is identified, the risk score calculator module 220 determines which additional IP addresses already stored in the EFN database (for example, subnet database 216) are additionally contained within and/or associated with this identified subnet. This can be accomplished, for example, by analyzing the information stored within subnet database 216 corresponding to this subnet. Additionally, the risk score calculator module 220 can also access the subnet database (database 216 being merely one example) corresponding to the identified subnet in question to obtain relevant information such as previous risk scores, etc. At least one embodiment of the invention includes using such previous risk score(s) as a starting point for a subsequent risk score calculation for the corresponding subnet, and updating the previous risk score(s) based on new and/or modified information pertaining to one or more of the IP addresses belonging to the subnet.
Upon determining the collection of IP addresses associated with this identified subnet, the risk score calculator module 220 subsequently calculates a risk score for the subnet based on the aggregated input of all previously identified IP addresses belonging to this subnet (that is, all IP addresses stored in the EFN databases that belong to this subnet). To carry out this calculation, the risk score calculator module 220 can leverage information stored within the databases contained within the data element module 210. For example, for each of the identified IP addresses belonging to this subnet, the risk score calculator can access the IP address database corresponding thereto (database 212 being merely one example) to obtain information pertaining to the risk level associated with each such IP address. Consequently, information pertaining to the risk level of each such IP address is aggregated by the risk score calculator module 220 to generate a risk score associated with the subnet.
With respect to aggregating data corresponding to individual IP addresses, at least one embodiment of the invention can include the following. For each IP address, EFN system 170 calculates a risk score based on the number of “fraud” and “genuine” indicators from all customers, for a given time window (for instance, the last 30 days). The EFN system can then, in one example, take the average of such risk scores over all identified IP addresses belonging to a specific subnet and assign this average to the subnet. Any additional IP addresses within this subnet that the EFN system encounters, even if marked as low risk, will be considered in light of being part of this subnet, and can be assigned that subnet's risk score. It is also noted that if a customer provides an IP address with a “Fraud Confirmed” indication, the EFN system may update the relevant subnet's risk score, but the IP itself will be retained with said “Fraud Confirmed” indication. In other words, at least one embodiment of the invention will not include lowering risk scores for IP addresses; rather, risk scores for individual IP addresses will only be raised if deemed necessary by the risk score of the corresponding subnet.
Additionally, as further described herein, at least one embodiment of the invention can include considering an originating customer's trust or confidence level when taking into account a given IP address risk score.
Also, in at least one embodiment of the invention, the risk score calculator module 220 can also access one or more customer databases (database 214 being merely one example) to incorporate information pertaining to one or more customers that provided data in connection with one or more of the IP addresses belonging to the subnet in question. By way of example, a given customer database can include customer-specific trust information based on previous assessments and/or feedback pertaining to the accuracy and/or quality of the input data provided by the given customer. Accordingly, in at least one embodiment of the invention, a risk score calculation for a given subnet can include an aspect of weighting input data (and related IP address-specific data) based on the particular customer that provided said input data, and the level of trust associated with that customer. By way of example, the input data being provided by a customer having a higher trust measure will be correspondingly weighted so as to have a larger effect on any subsequent risk score calculation than the input data provided by a customer having a lower trust measure.
In connection with the depiction in FIG. 2, consider the following use case example wherein a fraudster participates in fraudulent activity from a first IP address. Assuming that the fraud was detected and marked in the case management of the relevant entity (that is, customer), the fraudster can nonetheless subsequently obtain a different second IP address by releasing the first IP address and renewing a request for an IP address. Commonly, a similar but not identical IP address will be provided to the fraudster in such a scenario.
Accordingly, EFN system 170 will receive input data from the relevant customer identifying the first IP address as having participated in fraudulent activity. Such information will be processed and stored by data element module 210. The risk score calculator module 220 can also receive this input data pertaining to the first IP address, at which point the risk score calculator module 220 can access the relevant IP address database in data element module 210 to determine additional information pertaining to this first IP address, as well as access and search subnet databases to extract a subnet to which this first IP address belongs. Once the appropriate subnet is identified, the risk calculator module 220 can identify all additional IP addresses belonging to that subnet which are part of IP address database 212, and aggregate risk-related information corresponding to these additional IP addresses (obtained via the relevant IP address databases) to generate a risk score for the entire subnet. Also, in one or more embodiments of the invention, the risk score calculator module 220 can additionally incorporate trust-related information and/or measures associated with any relevant customers that had provided data to be used in the generation of this subnet risk score.
Consequently, to continue with the above example use case scenario, the EFN system generates a risk score corresponding to the subnet to which the first IP address belongs, thereby encompassing the fraudulent activity enacted by the fraudster before the fraudster transitioned to a different IP address. Accordingly, subsequent transactions originating from other IP addresses belonging to that subnet (such as the second IP address, in the above example), and for which no fraud was previously marked by customers, would receive a higher risk score as a result of the fraudster's previous fraudulent activity carried out via the first IP address. As such, at least one embodiment of the invention includes providing customers with subnet risk score data in addition to specific IP address risk score data. Customers may utilize this information, for example, to add new rules to their systems, to block transactions from IP addresses belonging to said subnets, etc.
One or more embodiments of the invention can additionally be implemented in the context of a network infected by malware, wherein each device within the network might be compromised. Evaluating the subnet in such a scenario can lead to more accurate risk scoring.
FIG. 3 is a flow diagram illustrating techniques according to an embodiment of the present invention. Step 302 includes identifying a network to which a first network element belongs, wherein said first network element comprises corresponding risk-related information. For example, the first network element can be identified as having participated in fraudulent activity or non-fraudulent activity by an entity reporting said first network element address to a fraud detection system. Also, the identifying step can include searching one or more network databases to identify an entry corresponding to the first network element, and/or receiving directly from a customer, as part of data input to identify, an entry corresponding to the first network element.
Step 304 includes determining each of one or more network elements previously identified as belonging to the network. As described herein, the first network element and each additional network element can be an internet protocol address. Also, the determining step can include analyzing information pertaining to the network to identify each previously identified network element belonging thereto.
Step 306 includes calculating a risk score assigned to the network, wherein said calculating comprises aggregating (i) the risk-related information corresponding to the first network element and (ii) risk-related information corresponding to each of the one or more network elements previously identified as belonging to the network. The risk-related information corresponding to each network element can be a risk score assigned to the network element.
The techniques depicted in FIG. 3 can also include applying the risk score assigned to the network to the first network element and to each of the one or more network elements previously identified as belonging to the network. Additionally, at least one embodiment of the invention includes iteratively updating the risk score assigned to the network upon receipt of each additional item of risk-related information pertaining to a network element belonging to the network.
FIG. 4 is a flow diagram illustrating techniques according to an embodiment of the present invention. Step 402 includes obtaining an item of input data from an entity, wherein said item of input data comprises identification of a first network element and corresponding risk-related information. Step 404 includes identifying a network to which the first network element belongs. Step 406 includes determining each of one or more network elements previously identified as belonging to the network (for example, IP addresses already present in the IP address database). As noted herein, the first network element and each additional network elements can be an internet protocol address.
Step 408 includes calculating a risk score assigned to the network based on (i) the risk-related information corresponding to the first network element, (ii) risk-related information corresponding to each of one or more network elements previously identified as belonging to the network, and (iii) one or more items of information pertaining to a level of trust associated with the entity. Calculating the risk score based on items of information pertaining to a level of trust associated with the entity can include applying a weight to each item of risk-related information based on a level of trust associated with each entity responsible for providing the item of risk-related information. As additionally noted herein, the risk-related information corresponding to each network element can be a risk score assigned to the network element.
Step 410 includes applying the risk score assigned to the network to the first network element and to each of the one or more network elements previously identified as belonging to the network. Additionally, the techniques depicted in FIG. 4 can also include iteratively updating the risk score assigned to the network upon receipt of each additional item of risk-related information pertaining to a network element belonging to the network.
Fraud detection techniques of the type described herein may be implemented in a wide variety of different applications. One exemplary communication system applications that may incorporate such techniques will now be described with reference to FIG. 5. Accordingly, FIG. 5 depicts a communication system 500 comprising a plurality of mobile telephones 502-1 and 502-2 and computers 504-1, 504-2 and 504-3, configured to communicate with one another over a network 506.
Any two or more of the devices 502 and 504 may correspond to cryptographic devices configured to implement at least one embodiment of the invention, as previously described. It is to be appreciated that the techniques disclosed herein can be implemented in numerous other applications.
Aspects of the present invention are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It is to be appreciated that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
As further described herein, such computer program instructions may also be stored in a computer readable medium that can direct a computer, other programmable data processing apparatus, or other devices to function in a particular manner, such that the instructions stored in the computer readable medium produce an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks. Accordingly, as further detailed below, at least one embodiment of the invention includes an article of manufacture tangibly embodying computer readable instructions which, when implemented, cause a computer to carry out techniques described herein.
The computer program instructions may also be loaded onto a computer or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide processes for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, component, segment, or portion of code, which comprises at least one executable instruction for implementing the specified logical function(s). It should be noted that the functions noted in the block may occur out of the order noted in the figures.
Accordingly, the techniques described herein can include providing a system, wherein the system includes distinct software modules, each being embodied on a tangible computer-readable recordable storage medium (for example, all modules embodied on the same medium, or each modules embodied on a different medium). The modules can run, for example, on a hardware processor, and the techniques detailed herein can be carried out using the distinct software modules of the system executing on a hardware processor.
Additionally, the techniques detailed herein can also be implemented via a computer program product that includes computer useable program code stored in a computer readable storage medium in a data processing system, wherein the computer useable program code was downloaded over a network from a remote data processing system. The computer program product can also include, for example, computer useable program code that is stored in a computer readable storage medium in a server data processing system, wherein the computer useable program code is downloaded over a network to a remote data processing system for use in a computer readable storage medium with the remote system.
As will be appreciated by one skilled in the art, aspects of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment (including firmware, resident software, micro-code, etc.) or an embodiment combining software and hardware aspects that may all generally be referred to herein as a “module” or “system.”
An aspect of the invention or elements thereof can be implemented in the form of an apparatus including a memory and at least one processor that is coupled to the memory and operative to perform the techniques detailed herein. Also, as described herein, aspects of the present invention may take the form of a computer program product embodied in a computer readable medium having computer readable program code embodied thereon.
By way of example, an aspect of the present invention can make use of software running on a general purpose computer. As noted above, FIG. 6 is a system diagram of an exemplary computer system on which at least one embodiment of the invention can be implemented. As depicted in FIG. 6, an example implementation employs, for example, a processor 602, a memory 604, and an input/output interface formed, for example, by a display 606 and a keyboard 608. The term “processor” as used herein includes any processing device(s), such as, for example, one that includes a central processing unit (CPU) and/or other forms of processing circuitry. The term “memory” includes memory associated with a processor or CPU, such as, for example, random access memory (RAM), read only memory (ROM), a fixed memory device (for example, a hard drive), a removable memory device (for example, a diskette), a flash memory, etc. Further, the phrase “input/output interface,” as used herein, includes a mechanism for inputting data to the processing unit (for example, a mouse) and a mechanism for providing results associated with the processing unit (for example, a printer).
The processor 602, memory 604, and input/output interface such as display 606 and keyboard 608 can be interconnected, for example, via bus 610 as part of a data processing unit 612. Suitable interconnections via bus 610, can also be provided to a network interface 614 (such as a network card), which can be provided to interface with a computer network, and to a media interface 616 (such as a diskette or compact disc read-only memory (CD-ROM) drive), which can be provided to interface with media 618.
Accordingly, computer software including instructions or code for carrying out the techniques detailed herein can be stored in associated memory devices (for example, ROM, fixed or removable memory) and, when ready to be utilized, loaded in part or in whole (for example, into RAM) and implemented by a CPU. Such software can include firmware, resident software, microcode, etc.
As noted above, a data processing system suitable for storing and/or executing program code includes at least one processor 602 coupled directly or indirectly to memory elements 604 through a system bus 610. The memory elements can include local memory employed during actual implementation of the program code, bulk storage, and cache memories which provide temporary storage of at least some program code in order to reduce the number of times code must be retrieved from bulk storage during implementation. Also, input/output (I/O) devices such as keyboards 608, displays 606, and pointing devices, can be coupled to the system either directly (such as via bus 610) or through intervening I/O controllers.
Network adapters such as network interface 614 (for example, a modem, a cable modem or an Ethernet card) can also be coupled to the system to enable the data processing system to become coupled to other data processing systems or remote printers or storage devices through intervening private or public networks.
As used herein, a “server” includes a physical data processing system (such as system 612 as depicted in FIG. 6) running a server program. It will be understood that such a physical server may or may not include a display and keyboard.
As noted, at least one embodiment of the invention can take the form of a computer program product embodied in a computer readable medium having computer readable program code embodied thereon. As will be appreciated, any combination of computer readable media may be utilized. The computer readable medium can include a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Examples include an electrical connection having one or more wires, a portable computer diskette, a hard disk, RAM, ROM, an erasable programmable read-only memory (EPROM), flash memory, an optical fiber, a portable CD-ROM, an optical storage device, a magnetic storage device, and/or any suitable combination of the foregoing. More generally, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
Additionally, a computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated signal may take any of a variety of forms such as, for example, electro-magnetic, optical, or a suitable combination thereof. More generally, a computer readable signal medium may be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium can be transmitted using an appropriate medium such as, for example, wireless, wireline, optical fiber cable, radio frequency (RF), and/or a suitable combination of the foregoing. Computer program code for carrying out operations in accordance with one or more embodiments of the invention can be written in any combination of at least one programming language, including an object oriented programming language, and conventional procedural programming languages. The program code may execute entirely on a user's computer, partly on a user's computer, as a stand-alone software package, partly on a users computer and partly on a remote computer, or entirely on the remote computer or server. In the latter scenario, the remote computer may be connected to the user's computer through any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet Service Provider).
In light of the above descriptions, it should be understood that the components illustrated herein can be implemented in various forms of hardware, software, or combinations thereof, for example, application specific integrated circuit(s) (ASICS), functional circuitry, an appropriately programmed general purpose digital computer with associated memory, etc.
Terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. For example, the singular forms “a,” “an” and “the” are intended to include the plural forms as well, unless clearly indicated otherwise. It will be further understood that the terms “comprises” and/or “comprising,” as used herein, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of another feature, integer, step, operation, element, component, and/or group thereof. Additionally, the corresponding structures, materials, acts, and equivalents of all means or step plus function elements in the claims are intended to include any structure, material, or act for performing the function in combination with other claimed elements as specifically claimed.
Also, it should again be emphasized that the above-described embodiments of the invention are presented for purposes of illustration only. Many variations and other alternative embodiments may be used. For example, the techniques are applicable to a wide variety of other types of communication systems and cryptographic devices that can benefit from fraud detection techniques. Accordingly, the particular illustrative configurations of system and device elements detailed herein can be varied in other embodiments. These and numerous other alternative embodiments within the scope of the appended claims will be readily apparent to those skilled in the art.

Claims (20)

What is claimed is:
1. A method comprising:
identifying a network to which a first network element belongs, wherein said first network element comprises corresponding risk-related information comprising one of (i) a fraudulent activity on the network within a given time period and (ii) a genuine activity on the network within the given time period;
determining each of multiple network elements previously identified as belonging to the network, wherein said multiple network elements comprise risk-related information comprising (i) one or more fraudulent activities on the network within the given time period and (ii) one or more genuine activities on the network within the given time period;
calculating a risk score assigned to the network to attribute a likelihood of fraudulent activity to occur in connection with any of the network elements belonging to the network, wherein said calculating comprises aggregating (i) the risk-related information corresponding to the first network element and (ii) the risk-related information corresponding to the multiple network elements previously identified as belonging to the network, and wherein said calculating further comprises applying a weight to each item of risk-related information based on a level of trust associated with each entity responsible for providing the item of risk-related information;
applying the risk score assigned to the network to (i) the first network element and (ii) to each of the multiple network elements previously identified as belonging to the network, thereby attributing the same likelihood of fraudulent activity occurring in connection with (i) the first network element and (ii) each of the multiple network elements previously identified as belonging to the network; and
iteratively updating the risk score assigned to the network upon receipt of each additional item of risk-related information pertaining to any network element belonging to the network;
wherein the steps are carried out by at least one computing device.
2. The method of claim 1, wherein each of said network elements comprises an internet protocol address.
3. The method of claim 1, wherein said identifying comprises searching one or more network databases to identify an entry corresponding to the first network element.
4. The method of claim 1, wherein said identifying comprises receiving an entry corresponding to the first network element directly from a customer.
5. The method of claim 1, wherein said determining comprises analyzing information pertaining to the network to identify each previously identified network element belonging thereto.
6. The method of claim 1, wherein said first network element is identified as having participated in fraudulent activity by an entity reporting said first network element to a fraud detection system.
7. The method of claim 1, wherein said risk-related information corresponding to the first network element comprises a risk score assigned to the first network element, and wherein said risk-related information corresponding to each of the multiple network elements previously identified as belonging to the network comprises a risk score assigned to each of the multiple network elements previously identified as belonging to the network.
8. An article of manufacture comprising a non-transitory processor-readable storage medium having processor-readable instructions tangibly embodied thereon which, when implemented, cause a processor to carry out steps comprising:
identifying a network to which a first network element belongs, wherein said first network element comprises corresponding risk-related information comprising one of (i) a fraudulent activity on the network within a given time period and (ii) a genuine activity on the network within the given time period;
determining each of multiple network elements previously identified as belonging to the network, wherein said multiple network elements comprise risk-related information comprising (i) one or more fraudulent activities on the network within the given time period and (ii) one or more genuine activities on the network within the given time period;
calculating a risk score assigned to the network to attribute a likelihood of fraudulent activity to occur in connection with any of the network elements belonging to the network, wherein said calculating comprises aggregating (i) the risk-related information corresponding to the first network element and (ii) the risk-related information corresponding to the multiple network elements previously identified as belonging to the network, and wherein said calculating further comprises applying a weight to each item of risk-related information based on a level of trust associated with each entity responsible for providing the item of risk-related information;
applying the risk score assigned to the network to (i) the first network element and (ii) to each of the multiple network elements previously identified as belonging to the network, thereby attributing the same likelihood of fraudulent activity occurring in connection with (i) the first network element and (ii) each of the multiple network elements previously identified as belonging to the network; and
iteratively updating the risk score assigned to the network upon receipt of each additional item of risk-related information pertaining to any network element belonging to the network.
9. The article of manufacture of claim 8, wherein each of said network elements comprises an internet protocol address.
10. The article of manufacture of claim 8, wherein said identifying comprises searching one or more network databases to identify an entry corresponding to the first network element.
11. The article of manufacture of claim 8, wherein said identifying comprises receiving an entry corresponding to the first network element directly from a customer.
12. The article of manufacture of claim 8, wherein said determining comprises analyzing information pertaining to the network to identify each previously identified network element belonging thereto.
13. An apparatus comprising:
a memory; and
at least one processor coupled to the memory and configured to:
identify a network to which a first network element belongs, wherein said first network element comprises corresponding risk-related information comprising one of (i) a fraudulent activity on the network within a given time period and (ii) a genuine activity on the network within the given time period;
determine each of multiple network elements previously identified as belonging to the network, wherein said multiple network elements comprise risk-related information comprising (i) one or more fraudulent activities on the network within the given time period and (ii) one or more genuine activities on the network within the given time period;
calculate a risk score assigned to the network to attribute a likelihood of fraudulent activity to occur in connection with any of the network elements belonging to the network, wherein said calculating comprises aggregating (i) the risk-related information corresponding to the first network element and (ii) the risk-related information corresponding to the multiple network elements previously identified as belonging to the network, and wherein said calculating further comprises applying a weight to each item of risk-related information based on a level of trust associated with each entity responsible for providing the item of risk-related information;
apply the risk score assigned to the network to (i) the first network element and (ii) to each of the multiple network elements previously identified as belonging to the network, thereby attributing the same likelihood of fraudulent activity occurring in connection with (i) the first network element and (ii) each of the multiple network elements previously identified as belonging to the network; and
iteratively update the risk score assigned to the network upon receipt of each additional item of risk-related information pertaining to any network element belonging to the network.
14. The apparatus of claim 13, further comprising:
one or more databases for storing risk-related information pertaining to one or more network elements.
15. The apparatus of claim 13, further comprising:
one or more databases for storing risk-related information pertaining to one or more networks.
16. A method comprising:
obtaining an item of input data from an entity, wherein said item of input data comprises identification of a first network element and corresponding risk-related information comprising one of (i) a fraudulent activity on the network within a given time period and (ii) a genuine activity on the network within the given time period;
identifying a network to which the first network element belongs;
determining each of multiple network elements previously identified as belonging to the network, wherein said multiple network elements comprise risk-related information comprising (i) one or more fraudulent activities on the network within the given time period and (ii) one or more genuine activities on the network within the given time period;
calculating a risk score assigned to the network to attribute a likelihood of fraudulent activity to occur in connection with any of the network elements belonging to the network based on (i) the risk-related information corresponding to the first network element, (ii) the risk-related information corresponding to the multiple network elements previously identified as belonging to the network, and (iii) one or more items of information pertaining to a level of trust associated with the entity, wherein said calculating comprises applying a weight to each item of risk-related information based on a level of trust associated with each entity responsible for providing the item of risk-related information;
applying the risk score assigned to the network to (i) the first network element and to (ii) each of the multiple network elements previously identified as belonging to the network, thereby attributing the same likelihood of fraudulent activity occurring in connection with (i) the first network element and (ii) each of the multiple network elements previously identified as belonging to the network; and
iteratively updating the risk score assigned to the network upon receipt of each additional item of risk-related information pertaining to any network element belonging to the network;
wherein the steps are carried out by at least one computing device.
17. The method of claim 16, wherein said first network element comprises an internet protocol address.
18. The method of claim 16, wherein said risk-related information corresponding to the first network element comprises a risk score assigned to the first network element.
19. The method of claim 16, wherein each of the one or more network elements previously identified as belonging to the network comprises an internet protocol address.
20. The method of claim 16, wherein said risk-related information corresponding to each of the multiple network elements previously identified as belonging to the network comprises a risk score assigned to each of the multiple network elements.
US13/920,500 2013-06-18 2013-06-18 Risk scoring for internet protocol networks Active 2033-11-23 US9438626B1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US13/920,500 US9438626B1 (en) 2013-06-18 2013-06-18 Risk scoring for internet protocol networks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US13/920,500 US9438626B1 (en) 2013-06-18 2013-06-18 Risk scoring for internet protocol networks

Publications (1)

Publication Number Publication Date
US9438626B1 true US9438626B1 (en) 2016-09-06

Family

ID=56878435

Family Applications (1)

Application Number Title Priority Date Filing Date
US13/920,500 Active 2033-11-23 US9438626B1 (en) 2013-06-18 2013-06-18 Risk scoring for internet protocol networks

Country Status (1)

Country Link
US (1) US9438626B1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9800606B1 (en) * 2015-11-25 2017-10-24 Symantec Corporation Systems and methods for evaluating network security
US10284588B2 (en) * 2016-09-27 2019-05-07 Cisco Technology, Inc. Dynamic selection of security posture for devices in a network using risk scoring
US10791137B2 (en) 2018-03-14 2020-09-29 Synack, Inc. Risk assessment and remediation
US11500799B2 (en) 2020-09-23 2022-11-15 EMC IP Holding Company LLC Managing access to a CPU on behalf of a block application and a non-block application

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5627886A (en) * 1994-09-22 1997-05-06 Electronic Data Systems Corporation System and method for detecting fraudulent network usage patterns using real-time network monitoring
US20060053490A1 (en) * 2002-12-24 2006-03-09 Herz Frederick S System and method for a distributed application and network security system (SDI-SCAM)
US20060190287A1 (en) * 2004-10-15 2006-08-24 Rearden Commerce, Inc. Fraudulent address database
US20080052758A1 (en) * 2006-08-23 2008-02-28 Byrnes Tomas L Method and system for propagating network policy
US20080244748A1 (en) * 2007-04-02 2008-10-02 Microsoft Corporation Detecting compromised computers by correlating reputation data with web access logs
US20090083184A1 (en) * 2007-09-26 2009-03-26 Ori Eisen Methods and Apparatus for Detecting Fraud with Time Based Computer Tags
US20090172815A1 (en) * 2007-04-04 2009-07-02 Guofei Gu Method and apparatus for detecting malware infection
US20100235915A1 (en) * 2009-03-12 2010-09-16 Nasir Memon Using host symptoms, host roles, and/or host reputation for detection of host infection
US20100275263A1 (en) * 2009-04-24 2010-10-28 Allgress, Inc. Enterprise Information Security Management Software For Prediction Modeling With Interactive Graphs
US20110251951A1 (en) * 2010-04-13 2011-10-13 Dan Kolkowitz Anti-fraud event correlation
US20110252472A1 (en) * 2010-04-08 2011-10-13 At&T Intellectual Property I, L.P. Bot-Network Detection Based on Simple Mail Transfer Protocol (SMTP) Characteristics of E-Mail Senders Within IP Address Aggregates
US8079083B1 (en) * 2005-09-02 2011-12-13 Symantec Corporation Method and system for recording network traffic and predicting potential security events
US20130227016A1 (en) * 2012-02-24 2013-08-29 Mark RISHER Detection and prevention of unwanted content on cloud-hosted services
US20140143825A1 (en) * 2012-11-16 2014-05-22 Microsoft Corporation Reputation-Based In-Network Filtering of Client Event Information
US20140283049A1 (en) * 2013-03-14 2014-09-18 Bank Of America Corporation Handling information security incidents

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5627886A (en) * 1994-09-22 1997-05-06 Electronic Data Systems Corporation System and method for detecting fraudulent network usage patterns using real-time network monitoring
US20060053490A1 (en) * 2002-12-24 2006-03-09 Herz Frederick S System and method for a distributed application and network security system (SDI-SCAM)
US20060190287A1 (en) * 2004-10-15 2006-08-24 Rearden Commerce, Inc. Fraudulent address database
US8079083B1 (en) * 2005-09-02 2011-12-13 Symantec Corporation Method and system for recording network traffic and predicting potential security events
US20080052758A1 (en) * 2006-08-23 2008-02-28 Byrnes Tomas L Method and system for propagating network policy
US20080244748A1 (en) * 2007-04-02 2008-10-02 Microsoft Corporation Detecting compromised computers by correlating reputation data with web access logs
US20090172815A1 (en) * 2007-04-04 2009-07-02 Guofei Gu Method and apparatus for detecting malware infection
US20090083184A1 (en) * 2007-09-26 2009-03-26 Ori Eisen Methods and Apparatus for Detecting Fraud with Time Based Computer Tags
US20100235915A1 (en) * 2009-03-12 2010-09-16 Nasir Memon Using host symptoms, host roles, and/or host reputation for detection of host infection
US20100275263A1 (en) * 2009-04-24 2010-10-28 Allgress, Inc. Enterprise Information Security Management Software For Prediction Modeling With Interactive Graphs
US20110252472A1 (en) * 2010-04-08 2011-10-13 At&T Intellectual Property I, L.P. Bot-Network Detection Based on Simple Mail Transfer Protocol (SMTP) Characteristics of E-Mail Senders Within IP Address Aggregates
US20110251951A1 (en) * 2010-04-13 2011-10-13 Dan Kolkowitz Anti-fraud event correlation
US20130227016A1 (en) * 2012-02-24 2013-08-29 Mark RISHER Detection and prevention of unwanted content on cloud-hosted services
US20140143825A1 (en) * 2012-11-16 2014-05-22 Microsoft Corporation Reputation-Based In-Network Filtering of Client Event Information
US20140283049A1 (en) * 2013-03-14 2014-09-18 Bank Of America Corporation Handling information security incidents

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Context-Aware Network Security; Sushant Sinha; University of Michigan; 2009. *
Detecting Malicious Websites by Learning IP Address Features; Daiki Chiba et al.; 2012 IEEE/IPSJ 12th International Symposium on Applications and the Internet; 2012. *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9800606B1 (en) * 2015-11-25 2017-10-24 Symantec Corporation Systems and methods for evaluating network security
US10284588B2 (en) * 2016-09-27 2019-05-07 Cisco Technology, Inc. Dynamic selection of security posture for devices in a network using risk scoring
US10791137B2 (en) 2018-03-14 2020-09-29 Synack, Inc. Risk assessment and remediation
US11500799B2 (en) 2020-09-23 2022-11-15 EMC IP Holding Company LLC Managing access to a CPU on behalf of a block application and a non-block application

Similar Documents

Publication Publication Date Title
US10764297B2 (en) Anonymized persona identifier
US10438297B2 (en) Anti-money laundering platform for mining and analyzing data to identify money launderers
US20170140382A1 (en) Identifying transactional fraud utilizing transaction payment relationship graph link prediction
US8458090B1 (en) Detecting fraudulent mobile money transactions
US20150026061A1 (en) Real time analytics system
US10373140B1 (en) Method and system for detecting fraudulent bill payment transactions using dynamic multi-parameter predictive modeling
US10755196B2 (en) Determining retraining of predictive models
US11593811B2 (en) Fraud detection based on community change analysis using a machine learning model
US11574360B2 (en) Fraud detection based on community change analysis
US11257088B2 (en) Knowledge neighbourhoods for evaluating business events
US9392012B2 (en) Application security testing system
US11205180B2 (en) Fraud detection based on an analysis of messages in a messaging account
CN113011856B (en) Online residence method and device for energy enterprise, electronic equipment and medium
US9438626B1 (en) Risk scoring for internet protocol networks
US11968184B2 (en) Digital identity network alerts
US20150120679A1 (en) System and method for identifying an individual from one or more identities and their associated data
US10742642B2 (en) User authentication based on predictive applications
CN114358147A (en) Training method, identification method, device and equipment of abnormal account identification model
US20190325448A1 (en) Social media based bill pay and authentication
WO2019095569A1 (en) Financial analysis method based on financial and economic event on microblog, application server, and computer readable storage medium
US9038175B1 (en) Providing an automatic electronic fraud network data quality feedback loop
US9047608B1 (en) Method and system to improve risk assessments in fraud detection systems using machine identifiers
CN112541765A (en) Method and apparatus for detecting suspicious transactions
CN115795345A (en) Information processing method, device, equipment and storage medium
US20230077289A1 (en) System for electronic data artifact testing using a hybrid centralized-decentralized computing platform

Legal Events

Date Code Title Description
AS Assignment

Owner name: EMC CORPORATION, MASSACHUSETTS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:ZILBERBERG, IDO;ASHER, LIOR;ZASLAVSKY, ALEX;AND OTHERS;REEL/FRAME:031100/0241

Effective date: 20130721

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., T

Free format text: SECURITY AGREEMENT;ASSIGNORS:CREDANT TECHNOLOGIES, INC.;DELL INTERNATIONAL L.L.C.;DELL MARKETING L.P.;AND OTHERS;REEL/FRAME:049452/0223

Effective date: 20190320

Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., TEXAS

Free format text: SECURITY AGREEMENT;ASSIGNORS:CREDANT TECHNOLOGIES, INC.;DELL INTERNATIONAL L.L.C.;DELL MARKETING L.P.;AND OTHERS;REEL/FRAME:049452/0223

Effective date: 20190320

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4

AS Assignment

Owner name: THE BANK OF NEW YORK MELLON TRUST COMPANY, N.A., TEXAS

Free format text: SECURITY AGREEMENT;ASSIGNORS:CREDANT TECHNOLOGIES INC.;DELL INTERNATIONAL L.L.C.;DELL MARKETING L.P.;AND OTHERS;REEL/FRAME:053546/0001

Effective date: 20200409

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 8